[ldns-users] [ Patch ] Configuring a trust anchor in ldns ?

Simon Vallet svallet at genoscope.cns.fr
Fri May 11 12:51:49 UTC 2007


On Wed, 9 May 2007 10:20:22 +0200
Simon Vallet <svallet at genoscope.cns.fr> wrote:

> On Sun, 06 May 2007 14:24:15 +0200
> Jelte Jansen <jelte at NLnetLabs.nl> wrote:
>
> > the functions in the main library only verify signatures and keys
> > directly. There is functionality to find the KSK but this is only in
> > drill, since this is part of chasing/tracing and 'complete' validation,
> > which hasn't made it back to the main library yet (the present code is
> > too specific and not really ready for that (yet)).
> 
> OK -- I'll take a look at drill and try to cook something up using the
> code there.

Hmmm... looking at the code in drill I'm a bit puzzled by the following
bit, for which there is a simple patch, which is attached.

/* check the other signatures, there might be a trusted KSK here */
for (ksk_sig_i = 0; ksk_sig_i < ldns_rr_list_rr_count(sigs); ksk_sig_i++) {
    ksk_sig = ldns_rr_list_rr(sigs, ksk_sig_i);
    if (ldns_rdf2native_int16(ldns_rr_rrsig_keytag(ksk_sig)) !=
        ldns_calc_keytag(ldns_rr_list_rr(keys, key_i))) {
      for (ksk_i = 0; ksk_i < ldns_rr_list_rr_count(keys); ksk_i++) {
        if (ldns_rdf2native_int16(ldns_rr_rrsig_keytag(ksk_sig)) ==
            ldns_calc_keytag(ldns_rr_list_rr(keys, ksk_i))) {

          result = ldns_verify_rrsig(rrset, cur_sig, ldns_rr_list_rr(keys, key_i));
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

          if (result == LDNS_STATUS_OK) {
            for (tkey_i = 0; tkey_i < ldns_rr_list_rr_count(trusted_keys); tkey_i++) {
              if (ldns_rr_compare_ds(ldns_rr_list_rr(keys, ksk_i),
                                     ldns_rr_list_rr(trusted_keys, tkey_i)
                                     )) {
                if (verbosity > 1) {
                  mesg("Key is signed by trusted KSK");
                }
                ldns_rr_list_deep_free(rrset);
                ldns_rr_list_deep_free(sigs);
                ldns_rr_list_deep_free(keys);
                ldns_pkt_free(pkt);
                ldns_rr_free(cur_sig);
                return LDNS_STATUS_OK;
              }
            }
          }
        }
      }
      
    }
  }


The rationale is that there seems to be no point in re-verifying the
sig in cur_sig with the key indexed by key_i, and that this call is likely 
to always return a successful status. There might be a point 
to call ldns_verify_rrsig() with ksk_sig and the key indexed by ksk_i, 
though.

Simon
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20070511/7c265f9f/attachment.ksh>


More information about the ldns-users mailing list